新聞財經娛樂♬資訊 News Economy

looks great. thanks again for posting back.

do you still have an issue there ?

looks like you did not allow external queries on other zones than your locally hosted one.

this should be workable by adapting the "internal" view which you probably do not need (do a copy-paste otherwise) by changing the "localnets" acl to the external ip of your seven machine (keeping "recursion yes" and the "vps.mysite.com" section)

best regards

I set it for internal and external client to control access
if  no nameserver 8.8.8.8 is found in resolv
it search other ISP/Public DNS recursively  (so set it recursion yes for internal client)



named.conf
=======================
include "/etc/rndc.key";

controls {
      inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

options {
    /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */

    // query-source    port 53;

    /* We no longer enable this by default as the dns posion exploit
        has forced many providers to open up their firewalls a bit */

    // Put files that named is allowed to write in the data/ directory:
    directory                "/var/named"; // the default
    pid-file                 "/var/run/named/named.pid";
    dump-file                "data/cache_dump.db";
    statistics-file          "data/named_stats.txt";
   /* memstatistics-file     "data/named_mem_stats.txt"; */
    allow-transfer {"none";};
};

logging {
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named").
 *      By default, SELinux policy does not allow named to modify the /var/named" directory,
 *      so put the default debug log file in data/ :
 */
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};


// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.

view "localhost_resolver" {
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
    match-clients         { 127.0.0.0/24; };
    match-destinations    { localhost; };
    recursion yes;

    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

    /* these are zones that contain definitions for all the localhost
     * names and addresses, as recommended in RFC1912 - these names should
     * ONLY be served to localhost clients:
     */
    include "/var/named/named.rfc1912.zones";
};

view "internal" {
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
    match-clients        { localnets; };
    match-destinations    { localnets; };
    recursion yes;

    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

    // include "/var/named/named.rfc1912.zones";
    // you should not serve your rfc1912 names to non-localhost clients.

    // These are your "authoritative" internal zones, and would probably
    // also be included in the "localhost_resolver" view above :

zone "vps.mysite.com" {
      type master;
      file "/var/named/vps.mysite.com.db";
};


zone "mysite.com" {
      type master;
      file "/var/named/mysite.com.db";
};

};

view    "external" {
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
    recursion no;
    // you'd probably want to deny recursion to external clients, so you don't
    // end up providing free DNS service to all takers

    // all views must contain the root hints zone:
    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

    // These are your "authoritative" external zones, and would probably
    // contain entries for just your web and mail servers:

    // BEGIN external zone entries


zone "vps.mysite.com" {
      type master;
      file "/var/named/vps.mysite.com.db";
};


zone "mysite.com" {
      type master;
      file "/var/named/mysite.com.db";
};




};

sorry, looks like my bind knowlege is a bit old, and i mixed up some parameter names.

http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion

recursion yes
allow-recursion { w.x.y.z; };

should be what you need in order to allow your seven host to issue query on the server

thanks for posting back

best regards

recursion yes in named.conf

domine name resolve-->Local DNS---> ISP/public DNS

recursion no in named.conf

domain name resolve->Local DNS only

THanks for your reply and talk you later

sorry about the part regarding 127.0.0.1
most likely we cross-posted, (or i'm blind-enough to have missed your post)

you'll definitively need to instruct bind to listen to another address or configure NAT rules in the local firewall if you expect the server to answer to remote queries. you'll also need to setup proper acls. refer to the link i posted in order to do so, the explanations are better than what i'd be able to give, and it is short.



actually what tells your server to forward queries to another server are the "forward" and "forwarders" options. i did not enven know bind could use stuff from resolv.conf (but that was a long-awaited feature, thanks for posting back). i'll assume that bind acts in this way when you do not define any forwarders and the forward option is on.

note that bind is a full-blown dns server that knows how to resolve queries recursively by itself when it is configured to do so (allow recursion, define the root "." zone and download a recent hints file from iana)


no. as far as i remember this setting enables the full-blown resolver i'm talking about above.

like you said, external client access requires that you make your bind listen on your wan address instead of localhost, and also add either ACLs in bind or firewall rules so you do not leave an open dns to the world.

--

happy to see you're getting into it.

if you do not understand what i mean by "full-blown recursive resolver" either google it or ask in this thread, understanding this will also answer to other questions you posted.

For my memo only
=====================
for this recent about DNS server tutorial thread, also help me to
find how to create infinite subdomain for my server such as mmm.mysite.com or
yyy.mysite.com , and the explaination  is defined clearly at
http://freelinuxtutorials.com/quick-tips-and-tricks/automatic-unlimited-subdomains-via-apache-mod_rewrite/

And I tested  it for my server, all subdomain is working.

Be clarify ,There is no such statments as follows  on my named.conf file


  allow-query       { localhost; };
  listen-on port    53 { 127.0.0.1; };
  listen-on-v6 port 53 { ::1; };

  dnssec-enable     yes;
  dnssec-validation yes;

Thanks for all of your reply

Now it is much better to understanding DNS, namserver, zone file

Duncan

I agree skullnobrain, and
I found my named.conf file, there is no such statement to listen port 53 by localhost

  allow-query       { localhost; };
  listen-on port    53 { 127.0.0.1; };
  listen-on-v6 port 53 { ::1; };

  dnssec-enable     yes;
  dnssec-validation yes;

DNS server software is installed most likely but the configuration in /etc/named.config will
determine whether my server is internal or public DNS server.
Now the those setting  of nameserver 8.8.8.8 in resolv.conf and "recusion yes"  in named.conf prove my server is using forwardering mode for DNS server from Google
public DNS server(8.8.8.8) that can be verfied when I delete 8.8.8.8 in resolv.conf,
so tht  nslookup yahoo.com 127.0.0.1 is not working,  and nslookup is working only for
those internal network site which is specified  domain name in named.conf for zone file

Those configuration in named.conf  show my server  is working as nameserver/DNS server for internal network or internal client only
and external client is prohibited by setting "recursion no" in the file and there is no
zone file for external client domain request besides localhost or mysite.com zone file

So no wonder why  mysite.com, domain name IP can be the same as the my nameserver IP from information by  http://www.intodns.com

domain: mysite.com(212.1.210.209)
namserver: ns1.mysite.com(212.1.210.209)
namserver: ns2.mysite.com(212.1.210.209)

Duncan

The default is for DNS to have TCP & UDP. You have to do something special to change that. I was assuming the target of interest has just a basic config

$ host google.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

Host google.com not found: 5(REFUSED)


I got the similar thing you have
but why I can dig  goolge.com  for its IP  ? the answer  might be the nameserver 8.8.8.8 in resolv.conf file , Right ?

Nslookup also  takes a hostfile in consideration. dig is a pure dns query t9ol.

You confire your resolv.conf a dns server wont touch it.
Several dns servers do exist the most common one is bind.
Install its package and complete its configuration for your domain.
Use dig to verify how it functions and then update resolv.conf yourself. If you also allow localhost in your serverconfig then resolv.conf shoul refer to 127.0.0.1